145 matches found
rnd_hex_encode
This evasion plugin adds random hex encoding. Example: Input: /bar/foo.asp Output : /b%61r/%66oo.asp Plugin type Evasion Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand...
sitemap_xml
This plugin searches for the sitemap.xml file, and parses it. The sitemap.xml file is used by the site administrator to give the Google crawler more information about the site. By parsing this file, the plugin finds new URLs and other useful information. Plugin type Crawl Options This plugin does...
strange_http_codes
Analyze HTTP response codes sent by the remote web application and report uncommon findings. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly...
generic
This authentication plugin can login to web application with generic authentication schema. Seven configurable parameters exist: username password usernamefield passwordfield authurl checkurl checkstring Plugin type Auth Options Name | Type | Default Value | Description | Help ---|---|---|---|---...
server_header
This plugin GETs the server header and saves the result to the knowledge base. Nothing strange, just do a GET request to the url and save the server headers to the kb. A smarter way to check the server type is with the hmap plugin. Plugin type Infrastructure Options This plugin doesnt have any us...
detect_reverse_proxy
This plugin tries to determine if the remote end has a reverse proxy installed. The procedure used to detect reverse proxies is to send a request to the remote server and analyze the response headers, if a Via header is found, chances are that the remote site has a reverse proxy. Plugin type...
http_vs_https_dist
This plugin analyzes the network distance between the HTTP and HTTPS ports giving a detailed report of the traversed hosts in transit to target:port. You should have root/admin privileges in order to run this plugin succesfully. Explicitly declared ports on the entered target override those...
http_auth_detect
This plugin greps every page and finds responses that indicate that the resource requires authentication. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understa...
fingerprint_os
This plugin fingerprints the remote web server and tries to determine the Operating System family Windows, Unix, etc.. The fingerprinting is at this moment really trivial, because it only uses one technique: windows path separator in the URL. For example, if the input URL is...
private_ip
This plugin greps every page body and headers for private IP addresses. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood:...
detect_transparent_proxy
This plugin tries to detect transparent proxies. The procedure for detecting transparent proxies is simple, I try to connect to a series of IP addresses, to the port 80, if all of them return an opened socket, then its the proxy server responding. Plugin type Infrastructure Options This plugin...
digit_sum
This plugin tries to find new URLs by changing the numbers that are present on it. Two configurable parameters exist: fuzzImages maxDigitSections An example will clarify what this plugin does, lets suppose that the input for this plugin is: http://host.tld/index1.asp This plugin will request:...
backspace_between_dots
This evasion plugin inserts an A and a backspace control character between dots which cancel each other when they are processed and some filters that match ../ are bypassed. Example: Input: ../../etc/passwd Output: .%41%08./.%41%08./etc/passwd Plugin type Evasion Options This plugin doesnt have a...
ldapi
This plugin will find LDAP injections by sending a specially crafted string to every parameter and analyzing the response for LDAP errors. Plugin type Audit Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres...
xst
This plugin finds the Cross Site Tracing XST vulnerability. No configurable paramaters are available. The TRACE method echos back requests sent to it. This plugin sends a TRACE request to the server and if the request is echoed back then XST is confirmed. Plugin type Audit Options This plugin...
cors_origin
Inspect if application check that the value of the "Origin" HTTP header is consistent with the value of the remote IP address/Host of the sender of the incoming HTTP request. Configurable parameters are: originheadervalue Note : This plugin is useful to test "Cross Origin Resource Sharing CORS"...
generic
This plugin finds all kind of bugs without using a fixed database of errors. This is a new kind of methodology that solves the main problem of most web application security scanners. Plugin type Audit Options Name | Type | Default Value | Description | Help ---|---|---|---|--- diffratio | float |...
un_ssl
This plugin verifies that URLs that are available using HTTPS arent available over an insecure HTTP protocol. To detect this, the plugin simply requests "https://abc/a.asp" and "http://abc.asp" and if both are equal, a vulnerability is found. Plugin type Audit Options This plugin doesnt have any...
console
This plugin writes the framework messages to the console. One configurable parameter exists: verbose Plugin type Output Options Name | Type | Default Value | Description | Help ---|---|---|---|--- verbose | boolean | False | Enables verbose output for the console | No detailed help available Sour...
wsdl_finder
This plugin finds new web service descriptions and other web service related files by appending "?WSDL" to all URLs and checking the response. Plugin type Crawl Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests,...
favicon_identification
This plugin identifies software version using favicon.ico file. It checks MD5 of favicon against the MD5 database of favicons. See also: http://www.owasp.org/index.php/Category:OWASPFaviconDatabaseProject http://kost.com.hr/favicon.php Plugin type Infrastructure Options This plugin doesnt have an...
archive_dot_org
This plugin does a search in archive.org and parses the results. It then uses the results to find new URLs in the target site. This plugin is a time machine ! Plugin type Crawl Options Name | Type | Default Value | Description | Help ---|---|---|---|--- maxdepth | integer | 3 | Maximum recursion...
dns_wildcard
This plugin compares the contents of www.site.com and site.com and tries to verify if the target site has a DNS wildcard configuration or not. Plugin type Infrastructure Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated...
error_pages
This plugin scans every page for error pages, and if possible extracts the web server or programming framework information. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the sourc...
url_fuzzer
This plugin will try to find new URLs based on the input. If the input is for example: http://a/a.html The plugin will request: http://a/a.html.tgz http://a/a.tgz http://a/a.zip … etc If the response is different from the 404 page whatever it may be, automatic detection is performed, then we have...
frontpage_version
This plugin searches for the FrontPage Server Info file and if it finds it will try to determine the version of the Frontpage Server Extensions. The file is located inside the web server webroot. For example: http://localhost/vtiinf.html Plugin type Infrastructure Options This plugin doesnt have...
domain_dot
This plugin finds misconfigurations in the virtual host settings by sending a specially crafted request with a trailing dot in the domain name. For example, if the input for this plugin is http://host.tld/ , the plugin will perform a request to http://host.tld./ . In some misconfigurations, the...
user_dir
This plugin will try to find user home directories based on the knowledge gained by other plugins, and an internal knowledge base. For example, if the target URL is: http://test/ And other plugins found this valid email accounts: email protected email protected This plugin will request:...
ghdb
This plugin finds possible vulnerabilities using google. One configurable parameter exist: resultlimit Using the google hack database released by Exploit-DB.com, this plugin searches Google for possible vulnerabilities in the target domain. Special thanks go to the guys at...
fingerprint_waf
Try to fingerprint the Web Application Firewall that is running on the remote end. Please note that the detection of the WAF is performed by the infrastructure.afd plugin afd stands for Active Filter Detection. Plugin type Infrastructure Options This plugin doesnt have any user configured options...
hmap
This plugin fingerprints the remote web server and tries to determine the server type, version and patch level. It uses fingerprinting, not just the Server header returned by remote server. This plugin is a wrapper for Dustin Lees hmap. One configurable parameters exist: genFpF If genFpF is set t...
lang
This plugin reads N pages and determines the language the site is written in. This is done by saving a list of prepositions in different languages, and counting the number of matches on every page. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more...
http_in_body
This plugin searches for HTTP responses that contain other HTTP request/responses in their response body. This situation is mostly seen when programmers enable some kind of debugging for the web application, and print the original request in the response HTML as a comment. Plugin type Grep Option...
xpath
This plugin finds XPATH injections. To find this vulnerabilities the plugin sends the string "dz0" to every injection point, and searches the response for XPATH errors. Plugin type Audit Options This plugin doesnt have any user configured options. Source For more information about this plugin and...
objects
This plugin greps every page for applets and other types of objects. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood: Plug...
symfony
This plugin greps every page for traces of the Symfony framework and the lack of CSRF protection. Plugin type Grep Options Name | Type | Default Value | Description | Help ---|---|---|---|--- override | boolean | False | Skip symfony detection and search for the csrf misprotection. | No detailed...
mod_security
This evasion plugin performs a bypass for modsecurity version 2.1.0 or less here: http://www.php-security.org/MOPB/BONUS-12-2007.html Important: The evasion only works for postdata. Example: Post-data Input: a=b Post-data Output : \x00a=b Plugin type Evasion Options This plugin doesnt have any us...
dav
This plugin finds WebDAV configuration errors. These errors are generally server configuration errors rather than a web application errors. To check for vulnerabilities of this kind, the plugin will try to PUT a file on a directory that has WebDAV enabled, if the file is uploaded successfully, th...
response_splitting
This plugin will find response splitting vulnerabilities. The detection is done by sending "w3af\r\nVulnerable: Yes" to every injection point, and reading the response headers searching for a header with name "Vulnerable" and value "Yes". Plugin type Audit Options This plugin doesnt have any user...
ria_enumerator
This plugin searches for various Rich Internet Application files. It currently searches for: Google gears manifests These files are used to determine which files are locally cached by google gears. They do not get cleared when the browser cache is cleared and may contain sensitive information. Fl...
ajax
This plugin greps every page for traces of Ajax code. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood: Plugin source code...
form_auth
This plugin bruteforces form authentication logins. Eleven configurable parameters exist: usersFile stopOnFirst passwdFile passEqUser useLeetPasswd useMailUsers useSvnUsers useMails useProfiling profilingNumber comboFile comboSeparator This plugin will take users from the file pointed by...
html_file
This plugin writes the framework messages to an HTML report file. Two configurable parameters exist: outputfile verbose If you want to write every HTTP request/response to a text file, you should use the textfile plugin. Plugin type Output Options Name | Type | Default Value | Description | Help...
phishtank
This plugin searches the domain being tested in the phishtank database. If your site is in this database the chances are that you were hacked and your server is now being used in phishing attacks. Plugin type Crawl Options This plugin doesnt have any user configured options. Source For more...
rnd_case
This evasion plugin changes the case of random letters. Example: Input: /bar/foo.asp Output : /BAr/foO.Asp Plugin type Evasion Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to...
find_dvcs
This plugin search git, hg, bzr, svn or cvs repositories and checks for files containing. For example, if the input is: http://host.tld/w3af/index.php The plugin will perform requests to: http://host.tld/w3af/.git/index http://host.tld/w3af/.gitignore http://host.tld/w3af/.hg/store/fncache...
finger_bing
This plugin finds mail addresses in Bing search engine. One configurable parameter exist: resultlimit This plugin searches Bing for : "@domain.com", requests all search results and parses them in order to find new mail addresses. Plugin type Infrastructure Options Name | Type | Default Value |...
wsdl_greper
This plugin greps every page for WSDL definitions. Not all wsdls are found appending "?WSDL" to the url like crawl.wsdlfinder plugin does, this grep plugin will find some wsdls that arent found by the crawl plugin. Plugin type Grep Options This plugin doesnt have any user configured options. Sour...
detailed
This authentication plugin can login to web application with more detailed and complex authentication schemas where the generic plugin does not work. Nine configurable parameters exist: username password usernamefield passwordfield dataformat authurl method checkurl checkstring Plugin type Auth...
find_captchas
This plugin finds any CAPTCHA images that appear on a HTML document. The crawl is performed by requesting the document two times, and comparing the image hashes, if they differ, then they may be a CAPTCHA. Plugin type Crawl Options This plugin doesnt have any user configured options. Source For...